[32704] in Kerberos
Re: "Negative cache rejected lookup for" host/princ when using GSSAPI
daemon@ATHENA.MIT.EDU (Jonathan Simms)
Wed Sep 22 22:02:08 2010
MIME-Version: 1.0
In-Reply-To: <AANLkTikbvbjDpPRbstWCsOUJJfH8HVkOdOVo5_XHVvH0@mail.gmail.com>
Date: Wed, 22 Sep 2010 22:02:03 -0400
Message-ID: <AANLkTikyNfFcw=9q1MDMUjS5T65r6vNmE_J7Lth+FmSg@mail.gmail.com>
From: Jonathan Simms <slyphon@gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Wed, Sep 22, 2010 at 9:53 PM, Jonathan Simms <slyphon@gmail.com> wrote:> On Wed, Sep 22, 2010 at 9:43 PM, Jonathan Simms <slyphon@gmail.com> wrote:>> I found only one reference to the string "Negative cache rejected>> lookup for" searching google for information, so I figured I'd ask>> here. I'm connecting from a Mac OS X 10.6 box to a Debian 5 install. I>> am kinited on osx, and try to ssh to to the debian box, i get the>> following error message in the debug output:>>>> debug1: Unspecified GSS failure. Minor code may provide more information>> Negative cache rejected lookup for 'host/$FQDN@$REALM'>>>> debug1: Unspecified GSS failure. Minor code may provide more information>> Server not found in Kerberos database>>>> debug1: Unspecified GSS failure. Minor code may provide more information>>>>>> When I ssh to another box and kinit there, then ssh over to the same>> host, it does the GSS exchange fine, forwards my credentials, and i>> see the host's ticket when i do klist.>>>> Any clue what this negative cache is on OS-X and how to clear it? The>> only reference I found was>> http://eyck.forumakad.pl/~eyck/log/Tips/Kerberos.Negative.Cache.Rejected.Lookup.html>> and I'd rather not reboot my box if i can help it :)>>>> -- Jonathan>>>> Looking at the kdc logs, it seems that I got an UNKNOWN_SERVER> response for the host I was trying to connect to (cfengine hadn't set> up the principal yet). After setting up the principal and confirming> in kadmin that it did indeed exist, I tried sshing again, and noticed> that in the kdc logs, OS-X didn't even attempt to get a key for the> host. It seems CCacheServer (I'm guessing) is caching the negative> reply. Is there any way of tuning this behavior?>
One last thing, if I kdestroy and kinit again, then ssh to the host, Iget a ticket for the host and the exchange works fine.
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
